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\  Abstract 

The  paper  presents  a  minimal  proof  theory  which  is  adequate  for  proving  the 
main  important  temporal  properties  of  reactive  programs.  The  properties  we  con¬ 
sider  consist  of  the  classes  of  invariance ,  response,  and  precedence  properties.  .For 
each  of  these  classes  we  present  a  small  set  of  rules  that  is  complete  for  verifying 
properties  belonging  to  this  class.  We  illustrate  the  application  of  these  rules  by 
analyzing  and  verifying  the  properties  of  a  new  algorithm  for  mutual  exclusion. 


1  Introduction 


In  this  paper  we  present  a  minimal  proof  theory  that  is  adequate  for  proving  interesting 
properties  of  concurrent  programs.  The  simple  theory  is  illustrated  on  a  single  example, 
which  is  a  new  and  interesting  algorithm  for  mutual  exclusion  [SzySS] . 


There  are  several  points  we  would  like  to  demonstrate  in  this  paper.  The  first  and 
main  point  is  that  a  very  little  general  (temporal)  theory  is  required  to  handle  the  most 
important  properties  of  concurrent  programs.  The  types  of  properties,  on  which  a  prac¬ 
ticing  verifier  (hoping  that  such  a  position  will  eventually  become  a  standard  in  any 
quality  assurance  team)  typically  spends  most  of  his  time,  usually  fall  into  two  or  three 
simple  classes.  By  presenting  a  simple  but  complete  set  of  rules  for  verifying  properties 
belonging  to  each  of  these  classes,  we  provide  the  practicing  verifier  with  precisely  the 


‘This  research  was  supported  in  part  by  the  National  Science  Foundation  under  grants  CCR-89-1 1512, 
and  CCR-89-13641;  by  the  Defense  Advanced  Research  Projects  Agency  under  contract  N00039-84-C- 
0211,  by  the  United  States  Air  Force  Office  of  Scientific  Research  under  contracts  AFOSR-90-0057,  and 
by  the  European  Community  ESPRIT  Basic  Research  Action  project  3096  (SPEC). 

1  Department  of  Computer  Science,  Stanford  University,  Stanford,  CA  94305 
1  Department  of  Applied  Mathematics,  Weizmann  Institute,  Rehovot,  Israel 


1 


tools  he  needs.  This  pragmatic  approach  can  be  nicely  complemented  by  a  more  theo¬ 
retical  presentation  of  a  comprehensive  theory  of  a  language  of  specification  (temporal 
logic  would  have  been  our  choice),  its  power  to  express  a  wide  spectrum  of  program 
properties,  and  a  comprehensive  proof  theory  and  investigation  of  its  completeness  (see 
for  example  [MP89a]).  However,  it  may  be  an  educational  mistake  to  require  the  study 
of  such  a  comprehensive  approach  as  an  essential  requisite  for  the  pragmatic  application 
of  the  verification  tools  that  result  from  the  general  theory. 

Consequently,  the  approach  we  take  in  this  paper  is  to  circumvent  the  general  theory 
of  temporal  logic  and  proceed  as  directly  as  possible  to  the  introduction  of  the  classes  of 
properties  that  are  most  frequently  verified,  and  to  the  proof  rules  that  are  appropriate 
for  their  verification. 

There  are  three  classes  of  properties  we  consider  in  this  paper,  and  believe  to  cover 
the  majority  of  properties  one  would  ever  wish  to  verify. 

•  Invariance  -  An  invariance  property  refers  to  an  assertion  p,  and  requires  that  p  is 
an  invariant  over  all  the  computations  of  a  program  P ,  i.e.,  all  the  states  arising 
in  a  computation  of  P  satisfy  p.  In  temporal  logic  notation,  such  properties  are 
expressed  by  Op,  for  a  state  formula  p. 

•  Response  -  A  response  property  refers  to  two  assertions  p  and  <7,  and  requires  that 
every  p-state  (a  state  satisfying  p)  arising  in  a  computation  is  eventually  followed 
by  a  <7- state.  In  temporal  logic  notation  this  is  written  as  p=$~Oq.  In  the  Unity 
notation  (see  (CMSSj),  this  property  is  called  a.  leads-to  property,  and  written  as 
P  >-►  <7. 

•  Precedence  -  A  simple  precedence  property  refers  to  three  assertions  p.  <7,  and  r.  It 
requires  that  any  /estate  initiates  a  (/-interval  (i.e.,  an  interval  all  of  whose  states 
satisfy  q)  which,  either  runs  to  the  end  of  the  computation,  or  is  terminated  by  an 
r-state.  Such  a  property  is  useful  in  order  to  express  the  restrict  ion  that,  following  a 
certain  condition,  one  future  event  will  always  be  preceded  by  another  future  event. 
For  example,  it  may  express  the  property  that,  from  the  time  a  certain  input  has 
arrived,  there  will  be  an  output  before  the  next  input.  Note  that,  this  does  not 
guarantee  that  output  will  actually  be  produced.  It  only  guarantees  that  the  next 
input  (if  any)  will  be  preceded  by  an  output.  In  temporal  logic,  this  property  is 
expressed  by  p=t-(c/Ur),  using  the  unless  operator  (weak  until)  U.  Mere  complex 

precedence  properties  refer  to  a  sequence  of  assertions  qn _ <7,n_i,  and  replace  the 

requirement  of  a  single  (/-interval,  by  a  requirement  of  a  succession  of  a  i/o-interval. 
followed  by  a  (/pinterval . followed  by  a  r/„,_| -interval. 

According  to  the  classification  of  properties  in  [AS85],  the  invariance  and  precedence 
properties  are  safety  properties,  while  the  response  properties  are  livrmss  properties. 
Referring  to  the  classification  of  properties  in  [MP89a],  the  response  properties  defined 
here  are  a  special  case  of  the  responsiveness  class  defined  then'  (which  allows  p  and  </  to 


be  past  formulae  rather  than  assertions).  The  class  of  precedence  properties  and  proof 
rules  associated  with  it  have  been  introduced  first  in  [MP83], 

We  refer  the  reader  to  [MP89b]  for  a  top  down  approach,  which  attempts  to  present 
the  most  general  proof  rules  that  cover  as  many  properties  as  possible.  Here,  however,  we 
take  the  opposite  approach  of  presenting  rules  that  are  closely  tailored  for  the  restricted 
classes  that  are  most  frequently  needed.  This  reduction  in  generality  is  justified  only 
if  we  can  demonstrate  a  gain  in  the  convenience  and  efficacy  of  using  those  rules  for 
verifying  properties  that  fall  in  these  classes.  This  brings  us  to  the  second  point  we  wish 
to  make  in  this  paper. 

The  paper  contains  no  new  theoretical  results.  Rather,  it  recommends  the  adoption 
of  a  set  notation  for  expressing  the  control  state  of  a  system  with  an  unbounded,  and 
even  dynamic,  set  of  processes,  within  the  framework  of  old  and  tried  proof  methods, 
such  as  [Lam77,  MP84]  (see  also  [PZ86]  where  this  set  notation  has  been  introduced  for 
the  analysis  of  probabilistic  algorithms). 

The  algorithm  we  have  chosen  to  verify,  is  an  ideal  example  for  demonstrating  the 
acute  need  for  formal  verification  of  concurrent  programs,  as  well  as  the  style  and  level 
of  verification  that  is  currently  possible.  We  refer  the  reader  to  [SzySS]  for  some  of  its 
important  features,  such  as  using  single- writer  bounded  shared  variables  and  enjoying  the 
property  of  linear  delay.  These  features  make  this  algorithm  a  significant  improvement 
over  most  of  its  predecessors. 

Although  the  algorithm  appears  to  be  quite  simple  and  innocuous,  the  only  way  we 
could  convince  ourselves  of  its  correctness  was  to  construct  the  formal  proof  outlined  in 
this  paper.  Szymanski  presented  an  informal  proof,  which  is  as  convincing  as  informal 
proofs  can  be.  In  fact,  our  formal  proof  derives  its  main  ideas  from  a  formalization  of 
his  informal  arguments.  However,  if  the  question  of  correctness  is  crucial,  such  as  having 
to  decide  whether  to  include  this  algorithm  as  a  contention-resolving  component  in  a 
hardware  chip,  we  see  no  way  but  to  carry  out  a  formal  verification. 


We  have  learned  two  lessons  from  carrying  out  this  verification  exercise.  The  less 
encouraging  lesson  is  that  it  requires  a  non-negligiblc  deal  of  creativity  and  dexterity  in 
manipulating  logical  formulae  to  come  up  with  the  appropriate  set  of  auxiliary  assertions 
(and  other  constructs  needed  for  the  proof).  This  is  so  even  if  the  correct  intuition  is 
given  and  all  that  is  required  is  to  formalize  that  intuition.  The  more  encouraging  lesson 
is  that,  once  the  appropriate  constructs  have  been  found,  the  rest  of  the  verification 


process,  which  requires  the  construction  of  the  verification  conditions  (proof  obligations) 
and  proving  their  validity,  can  to  a  large  extent  be  automated.  It.  is  not  that  we  have 
come  up  with  a  surprisingly  new  automatic  theorem  prover.  But  inspection  of  the  kinds 
of  assertions  generated  for  a  proof  of  an  algorithm  like  the  one  we  study  here,  convinced 
us  that  for  a  large  and  interesting  class  of  algorithms  all  these  assertions  belong  to  a 


decidable  class. 


2  Programs  and  Computations 


The  basic  computational  model  we  use  to  represent  programs  is  that  of  a  fair  transition 
system.  In  this  model,  a  program  P  consists  of  the  following  components. 

•  V  =  {u0, un-i}  -  A  finite  set  of  state  variables.  Some  of  these  variables  repre¬ 
sent  data  variables,  which  are  explicitly  manipulated  by  the  program  text.  Other 
variables  are  control  variables,  which  represent,  for  example,  the  location  of  control 
in  each  of  the  processes  in  a  concurrent  program.  We  assume  each  variable  to  be 
associated  with  a  domain,  over  which  it  ranges. 

•  S  -  A  set  of  states.  Each  state  s  €  E  is  an  interpretation  of  V',  assigning  to  each 
variable  y  €  V  a  value  over  its  domain,  which  we  denote  by  s[y]. 

•  T  -  A  set  of  transitions.  Each  transition  r  £  T  is  associated  with  an  assertion 
pT(V,  V"),  called  the  transition  relation ,  which  refers  to  both  an  unprimed  and  a 
primed  version  of  the  state  variables.  The  purpose  of  the  transition  relation  pT  is 
to  express  a  relation  between  a  state  s  and  its  successor  s'.  We  use  the  unprimed 
version  to  refer  to  values  in  s,  and  the  primed  version  to  refer  to  values  in  s'.  For 
example,  the  assertion  x'  =  x  -f  1  states  that  the  value  of  x  in  s'  is  greater  by  1 
than  its  value  in  s. 

•  0  -  The  precondition.  This  is  an  assertion  characterizing  all  the  initial  states,  i.e., 
states  at  which  the  computation  of  the  program  can  start.  A  state  is  defined  to  be 
initial  if  it  satisfies  0. 

We  define  the  state  s'  to  be  a  r -successor  of  the  state  s  if 

(S,S')  | =Pr(l'V'), 

where  ( s,s ')  is  the  joint  interpretation  which  interprets  x  €  V  as  s[;r],  and  interprets  x1 
as  s'[.t].  Following  this  definition,  we  can  view  the  transition  r  as  a  function  r  :  E  •— +  2m 
defined  by: 

r(s)  =  {s'  |  s'  is  a  r- successor  of  s}. 

We  say  that  the  transition  r  is  enabled  on  the  state  s,  if  r (,s)  ^  o.  Otherwise,  we  say 
that  r  is  disabled  on  s.  We  say  that  a  state  s  is  terminal  if  all  the  transitions  r  t  7  are 
disabled  on  it.  The  enabledness  of  a  transition  r  can  be  expressed  bv  the  formula 

En(r)  :  (3 V')pT(V,V), 

which  is  true  in  s  iff  s  has  some  r-successor. 

Assume  a  program  P  for  which  the  above  components  have  been  specified.  Consider 

a  :  s0.  S| .  ,s2, 

a  finite  or  infinite  sequence  of  states  of  P. 


We  say  that  the  transition  t  €  T  is  enabled  at  position  k  of  a  if  r  is  enabled  on  s 

We  say  that  the  transition  r  is  taken  (completed)  at  position  k  +  1,  k  =  0, 1, . . . ,  if 

is  a  r-succecsor  of  s*..  Note  that  several  different  transitions  can  be  considered  as  taken 
at  the  same  position. 

The  sequence  a  is  defined  to  be  a  computation  of  P  if  it  satisfies  the  following  re¬ 
quirements: 

•  Initially  so  is  initial,  i.e.,  s0  (=  0. 

•  Consecution  For  each  j  =  0, 1,...,  the  state  sJ+\  is  a  r-successor  of  the  state  Sj,  i.e., 

.Sj+i  €  r(sj),  for  some  r£T. 

•  Termination  Either  a  is  infinite,  or  it  ends  in  a  state  Sk  which  is  terminal. 

•  Justice  For  each  transition  r  €  T,  it  is  not  the  case  that  r  is  continually  enabled 

beyond  some  position  j  in  a  (i.e.,  r  is  enabled  at  every  position  k  >  j) 
while  t  is  not  taken  beyond  j. 

For  a  program  P,  we  denote  by  Comp(P)  the  set  of  all  computations  of  P.  We  say  that 
a  state  s  is  P-  accessible  if  it  appears  in  some  computation  of  P.  Clearly,  any  T-successor 
of  a  P-accessible  state  is  also  P- accessible. 

We  assume  an  underlying  assertional  language,  which  contains  the  predicate  calculus, 
and  interpreted  symbols  for  expressing  the  standard  operations  and  relations  over  some 
concrete  domains.  We  refer  to  a  formula  in  the  assertional  language  as  an  assertion. 

For  an  assertion  p  and  a  state  5  such  that  p  holds  on  s ,  we  say  that  s  is  a  p-state. 
For  a  computation  a  :  such  that  Sj  is  a  p-state,  we  call  j  a  p-positwn. 

Set  Notation 

We  introduce  the  following  notation  to  facilitate  a  compact  representation  of  sets  of 
natural  numbers. 

A  set  specification  consists  of  a  list  of  one  or  more  set  specifiers,  where  each  specifier 
is  either  a  single  natural  number,  or  an  interval  specifier  of  the  form  a..b,  for  a  <  b. 
natural  numbers.  The  set  defined  by  the  interval  specifier  a..b  consists  of  all  the  integers 
not  smaller  than  a  and  not  larger  than  b ,  i.e., 

(n.J)}  =  {m  |  a  <  m  <  b) 

The  set  defined  by  a  list  of  specifiers  is  the  union  of  the  sets  defined  by  the  individual 
specifiers.  Thus,  the  set  specified  by  {1,3. .5, 7}  consists  of  the  natural  numbers 

{1  ,  3  ,  4  ,  5  ,  7}. 


In  the  following,  we  define  on  several  occasions  a  family  of  sets  Aa  indexed  by  natural 
numbers.  These  definitions  immediately  extend  to  define  sets  indexed  by  general  set 
specifications  as  follows: 

^ipi  ,...,ap*  =  U  ^a- 

a6{»pi,...,jp*} 


Thus,  4i,3..5,7  is  given  by 


Ai  U  ^3  U  A\  U  A$  U  At. 


3  The  Program  as  a  Fair  Transition  System 


The  program  we  wish  to  study  can  be  given  as 


mutex  :: 


flag :  array[0..n  —  1]  of  0..4  where  flaq\0..n  —  1]  =  0 
P[0]||P[ll||...||P[n-l] 


Each  process  P[i\,i  =  0,  ...,n  —  1  of  the  program  is  given  by: 


local  j  :  [0..n  —  1]  where  j  =  0 


£0:  loop  forever  do 
begin 

4  :  Non  Critical 
4  :  flag[i ]  :=  1 

4  :  wait  until  Vj  :  0  <  j  <  n  :  (flag[j j  <  3) 

£ 4  :  flag[i ]  :=  3 

4  :  if  3j  :  0  <  ;  <  n  :  (flag[j]  =  1)  then 
begin 

4:  flag[i)  :=  2 

£7:  wait  until  3j  :  0  <  j  <  n  :  [flag[j]  =  4) 

end 

4  :  flag[i)  ■=  4 

4  :  wait  until  Vj  :  0  <  j  <  i  :  [flag\j]  <  2) 

4o:  Critical 

4i=  wait  until  V;  :  1  <  j  <  n  :  ( flag[j ]  <  2  V  flag[j\  >  3) 

?i2-  flag[* }  ■=  0 

end 


Below,  we  identify  the  four  components  of  a  fair  transition  system,  namely,  state  vari¬ 
ables,  states,  transitions,  and  precondition,  for  the  mutex  program.  This  identification 
enables  us  to  view  the  program  as  a  fair  transition  system,  and  apply  to  it  the  verification 
methods  that  will  be  later  presented  for  a  general  fair  transition  system. 
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•  V  -  The  state  variables  are  given  by 


L0,...LU,  flag[0], flag[n  —  1],  j0,...,jn- 1. 

The  variables  Lo, T12,  are  control  variables  that  range  over  subsets  of  {0, n  — 
1}.  At  any  state  of  the  computation,  L for  k  =  0,...,12,  contains  the  indices 
of  all  the  processes  that  currently  are  ready  to  execute  the  statement  labeled 
Variables  flag[0], ...,  flag[n  —  1]  naturally  represent  the  current  values  of  the  corre¬ 
sponding  program  variables.  The  variables  jo,...,jn-i  represent  the  current  values 
of  the  local  variable  j  of  the  processes  P[0], ...,  P[n  —  1],  respectively.  As  we  will 
see  below,  we  assume  that  a  compound  test  such  as  Vj  :  0  <  j  <  n  :  ( flag[j ]  <  3) 
is  performed  by  several  atomic  tests,  each  checking  the  current  value  of  flag[j]  for 
some  j.  The  variable  j{  indicates  that  the  next  flag  value  to  be  tested  by  P[i]  is 

•  E  -  The  states  consist  of  all  the  possible  assignments  to  the  state  variables  of  values 
in  their  respective  domains. 

•  0  -  The  precondition  is  given  by  the  assertion 

0  :  (T0  =  {0,  ...,n  -  1})  A  (L,..12  =  <j>)  A  /\  (iflag\i]  =  0)  A  (j,  =  0)) 

x=0 

Thus,  at  the  initial  state  of  the  program,  all  processes  reside  at  the  location  1 0 , 
and  the  values  of  flag[0\, flag[n  —  1]  and  of  jo,...,jn-\  are  all  zero. 

To  express  the  movement  of  control  effected  by  the  transitions,  we  introduce  the  following 
abbreviations: 


move(i,  k,m)  :  {L'k  -  Lk  -  {?'})  A  [L'm  =  Lm  U  {i}) 
stay  :  /\[2=0  {L[  =  T,k ) 

Clearly,  move(i,k,m )  describes  the  movement  of  control  within  process  P[i]  from  (k  to 
lm ,  while  stay  describes  the  case  that  the  control  does  not  move  in  any  of  the  processes. 

Note  that  the  movement  of  control  from  £k  to  Cm  is  represented  by  claiming  that  the 
new  value  of  the  set  Lk,  which  contains  the  indices  of  all  the  processes  that  currently 
reside  at  ik,  equals  its  old  value  minus  the  process  1  that  has  moved  away.  Similarly,  Lm 
is  updated  by  the  addition  of  i. 


The  Transitions 

Before  presenting  the  actual  transitions  corresponding  to  the  mutex  program,  we  present 
a  general  approach  to  the  assignment  of  transitions  to  compound  tests,  such  as  the  tests 
appearing  in  statements  £3, 4,  and  of  the  program.  These  tests  all  perform  a 

check  of  whether  a  certain  condition  p(j)  holds  for  all  or  some  j  =  0, ....  n  —  1.  We  do  not 


consider  the  interpretation  of  such  tests  as  atomic ,  assuming  them  to  be  fully  completed 
by  a  single  transition,  as  a  realistic  representation  of  what  really  happen  in  concurrent 
systems.  Instead,  we  consider  them  as  molecular  (see  [PZ86] ),  and  assign  a  separate 
transition  to  the  check  of  p(j)  for  each  individual  j.  We  refer  the  readers  to  [MP89c] 
for  an  analysis  of  the  same  program  under  the  assumption  of  atomic  compound  tests,  as 
well  as  a  comparison  of  several  versions  of  molecular  compound  tests. 

There  are  three  types  of  compound  tests  that  appear  in  the  mutex  program.  We 
discuss  each  of  them  separately.  To  represent  an  intermediate  situation  in  the  perfor¬ 
mance  of  a  compound  test  by  the  process  P[i],  we  use  the  state  variable  j,  that  points 
at  the  next  value  of  j,  for  which  p(j)  should  be  tested.  In  the  representation  we  consider 
here.  jx  is  initiated  at  0  and  incremented  by  1  to  get  to  the  new  index  to  be  tested. 
Consequently  the  value  j,  =  n  indicates  the  completion  of  the  compound  test. 

In  [MP89c]  we  also  consider  other  orders  in  which  the  range  0..n  —  1  can  be  scanned, 
and  study  the  effect  the  different  scanning  orders  may  have  on  the  behavior  of  the 
program.  In  fact,  we  show  there  that  the  program  is  correct  if  we  follow  an  ascending 
scanning  order,  which  is  the  one  adopted  here,  and  is  incorrect  for  any  other  scanning 
order. 

In  defining  the  transition  relation  pT  corresponding  to  the  transition  r,  we  adopt  the 
following  convention.  We  present  a  compact  transition  relation  Fir ,  which  contains  the 
conditions  under  which  r  is  enabled,  and  the  effect  r  has  on  the  variables  it  may  modify. 
The  full  transition  relation  pT  is  given  by  a  conjunction  of  Rr  with  a  list  of  clauses  u'  =  n 
for  each  variable  u  whose  primed  version  does  not  appear  in  f?T,  i.e.,  a  variable  that  is 
obviously  preserved  by  r. 

Assume  that  the  following  compound  test  appears  in  the  program  for  the  process 
P[i],  for  some  predicate  p(j)  which  depends  on  j. 

tT:  wait  until  Wj  :  (0  <  j  <  n)  :  p(j) 


With  this  statement  we  associate  the  transition  rr[?j,  whose  compact  transition  relation 
is  given  by 


/?r[z]  :  (i  €  Lt)  A 


/ 

V 

V  V 


[( j ,  =  n)  A  move{i,r,s)] 

[O'.  <  n)  A  p{ji)  A  stay  A  (;'  =  j,  +  1 )] 
[0,  <  n)  A  -»p(jj)  A  stay  A  [j[  <  j,)} 


The  first  clause  of  this  formula  corresponds  to  the  case  that  the  compound  test  has 

terminated,  as  is  identified  by  j,  =  n.  This  means  that  for  each  j  =  0 . n  —  1.  we  have 

encountered  a  state  in  which  p{j)  was  true.  By  no  means  is  it  implied  that  there  ever 
was  a  state  in  which  p(j)  held  for  all  j  =  0,  ...,n  —  1  at  the  same  time. 

The  second  clause  of  this  transition  corresponds  to  the  case  that  j,  is  still  in  the  range 
0 ,...,7i  —  1  and  p(j,)  is  found  to  be  true.  In  this  case,  j,  is  stepped  up,  but  control  still 
remains  at  iT ■ 
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The  third  clause  corresponds  to  the  case  that  p(j%)  is  found  to  be  false.  Several 
strategies  are  possible  at  this  point.  Some  implementations  may  decide  to  restart  the 
testing  cycle  from  the  beginning,  and  consequently  reset  j,  to  0  on  detecting  a  false  p(j,j. 
Other  implementations  leave  ji  as  it  is  and  will  try  again  to  test  p(ji)  until  it  is  found 
to  be  true.  The  clause  presented  above  is  general  enough  to  cover  both  these  strategies 
by  requiring  only  that  jt  does  not  increase.  Obviously,  if  we  prove  the  program  to  be 
correct  under  this  more  general  representation,  the  results  will  hold,  in  particular,  for 
the  two  specific  implementations  we  have  described  above. 

Next,  let  us  consider  a  statement  of  the  form 


tT\  wait  until  3j  :  (0  <  j  <  n)  :  p(j) 

L-. 

With  this  statement  we  associate  the  transition  rr[z],  whose  compact  transition  relation 
is  given  by 


Rr[i]  :  (i  €  Lr)  A 


[p(i, )  A  move(i,  r,  s)] 

V  [-'p(ji)  A  stay  A  (j'  =  (j,  +  l)mod  n)] 


The  first  clause  of  this  formula  corresponds  to  the  case  that  p(j,)  is  found  to  hold.  In 
this  case,  the  process  P[i]  moves  on  to  £s. 

The  second  clause  corresponds  to  the  case  that  p(j,j  does  not  hold.  In  this  case  P[i] 
remains  at  iT  and  j ,  is  stepped  to  .its  next  value.  The  incrementation  of  j,  is  done  modulo 
n,  so  that  the  value  following  n  —  1  is  again  0. 

Finally,  let  us  consider  the  statement 


tT  :  if  3 j  :  (0  <  j  <  n)  :  p{j) 
then  [  £s  :  ...] 
else  [  £t  :  ...j 


With  this  statement  we  associate  the  transition  rr[i],  whose  compact  transition  relation 
is  given  by 


Rr\i] 


( 


(i  6  Lt )  A 


lVv 


[(ji  =  n)  A  move(i,r,t)]  \ 

[(ji  <  n)  A  p{ji)  A  more(i,r,s)j 

[(ji  <  n)  A  ->p(ji)  A  stay  A  (;'  =  j,  +  1)] 


The  first  clause  of  this  formula  corresponds  to  the  case  that  the  search  for  a  j  that 
satisfies  p(j)  has  been  completed,  apparently  without  finding  such  a  j.  Consequently, 
the  result  of  the  compound  test  is  false  and  we  proceed  to  the  else  clause. 
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The  second  clause  of  the  formula  corresponds  to  the  case  that  the  current  value  of  j, 
satisfies  p(j,).  This  means  that  the  test  is  successful  and  we  proceed  to  the  then  clause. 

The  third  clause  of  the  formula  corresponds  to  the  case  that  the  current  value  of  jt 
does  not  satisfy  p(ji).  We  therefore  step  j,  to  its  next  value  and  stay  in  place. 

Having  considered  the  general  form  of  the  transitions  associated  with  the  three  types 
of  molecular  tests  we  have  in  our  program,  we  proceed  to  present  the  transitions  for  the 
program. 

We  recall  that  according  to  our  set  notations 

— .«m  =  O]  U  ^12  h*  •••  U  L{m 
Li..k  =  Li  U  Ll+ 1  U  ...  U  Lk  for  i  <  k 

Below,  we  list  the  transitions  associated  with  the  process  P[i],  For  each  such  process 
there  exist  one  or  more  transitions  corresponding  to  each  statement.  For  the  statement 
labeled  by  lT  we  denote  the  corresponding  transition  by  rr[?]  and  the  associated  compact 
transition  relation  by  Rr[i]- 

•  Ro[i]  :  (i  G  T0)  A  move(i,  0, 1) 

This  transition  corresponds  to  the  case  that  P[i]  is  at  do  and  moves  inside  the  loop 
statement. 

•  7?a [i]  :  (i  €  L\)  A  [stay  V  move(i ,  1,2)) 

This  compact  transition  relation  consists  of  two  clauses  representing  a  non-deterministic 
choice.  The  first  clause  corresponds  to  the  case  that  the  process  P[?’]  decides  to 
remain  in  its  non-critical  section  for  awhile  longer.  The  situation  that,  from  a  cer¬ 
tain  point  on,  a  process  remains  forever  in  its  non-critical  section  (which  we  want 
to  include)  is  represented  by  this  process  consistently  choosing  this  clause  of  the 
transition  relation  from  that  point  on. 

The  second  clause  of  the  compact  transition  relation  corresponds  to  the  case  that 
P[i]  decides  to  quit  its  non-critical  section  and  move  from  i\  to  0- 

•  /?2 [*]  :  {i  €  L2)  A  move(i,  2, 3)  A  l  flag'[i]  =  1)  A  [j[  =  0) 

This  transition  corresponds  to  the  case  that  the  process  P[i]  moves  from  (2  to  (3 
while  setting  flcig[i]  t1'  i.  According  to  our  convention,  flag'[k]  =  flug[k]  for  all 
k  ^  i.  Note  that  since  d 3  performs  a  molecular  test,  we  reset  j,  to  0  on  entering  (3 
as  preparation  for  the  compound  test,  to  be  performed  at  At. 

•  Rzli]  : 


/ 


(i€  Lz)  A 


u 


[[ji  =  ")  A  riioi'i  (i , 1 )] 

U  <  n)  A  ( flogij .)  <  ;5)  A  stay  A  (j[  =  J,  +  1 )] 
[O',  <  n)  A  (fldfl(.h)  >  d)  A  stay  A  {j[  <  j,)] 
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The  first  clause  of  this  compact  transition  relation  corresponds  to  a  successful 
termination  of  the  test,  as  a  result  of  which,  P[i]  moves  to  i4.  The  second  clause 
corresponds  to  the  case  that  the  next  tested  value  of  j,  satisfies  flag[j,}  <  3,  as  a 
result  of  which,  ji  is  incremented  to  its  next  value.  The  last  clause  corresponds  to 
the  case  that  a  tested  flag[ji]  is  found  to  be  greater  or  equal  to  3.  In  this  case,  we 
allow  resetting  ji  to  any  value  not  exceeding  its  current  value. 

•  R4[i]  :  ( i  G  L4)  A  move(z,4,5)  A  (flag'[i]  =  3)  A  (j(  =  0) 

Process  P[i]  moves  to  £$  while  setting  flag[i]  to  3  and  resetting  jt  to  0. 

•  R$[i]  ■ 


( i  G  P5)  A 


f 

V 

\  V 


[(ji  =  n)  A  move(i,  5, 8)]  ^ 

[(ji  <  n)  A  (flag[ji\  =  1)  A  move(i ,  5,  6)] 

[(ji  <  n)  A  (flaglji)  ^  1)  A  stay  A  (j't  =  j ,  +  1)]  / 


The  first  clause  of  the  compact  transition  relation  corresponds  to  the  case  that  the 
test  has  terminated  unsuccessfully,  and  consequently  P[i\  moves  to  The  second 
clause  represents  the  case  that  flag[j,]  =  1.  Consequently,  P[z]  moves  to  £&.  The 
last  clause  corresponds  to  the  case  that  the  current  value  of  ji  does  not  satisfy 
flag[ji\  =  1.  Consequently,  the  process  stays  in  the  test  and  steps  j,  to  the  next 
value. 


•  Re(i]  :  ( i  €  Le)  A  move(i,  6,  7)  A  (flag'[i]  =  2)  A  (j-  =  0) 

Set  flag[i\  to  2  and  ji  to  0. 

•  R7[i]  : 

tie  T-\  a  (  i(fla9lp]  =  4)  A  move(i,7,8)]  \ 

\  V  \(flag\ji]  ±  4)  A  stay  A  (j(  =  (ji  +  l)mod  n)]  J 

The  first  clause  of  the  compact  transition  relation  represents  the  case  that  flag[j,] 
equals  4.  In  that  case  the  search  has  terminated  and  P[i]  moves  to  ( s .  The  second 
clause  corresponds  to  the  case  that  flag[ji]  does  not  equal  4.  In  that  case  the 
search  continues  by  stepping  ji  to  its  next  value. 

•  R&[i]  :  ( i  G  L8)  A  moue(z,8,9)  A  (flag'[i]  -■  4)  A  (;'  =  0) 

Process  P[i]  moves  from  is  to  £9  while  setting  flag[i)  to  4  and  j,  to  0. 

•  Pg[f]  : 


/  [(it  =  i)  A  move(i:  9, 10)]  \ 

(?  G  L9)  A  V  [ (ji  <  i)  A  (flag[ji\  <  2)  A  stay  A  (j\  =  j,  +  1 )] 

\  V  U  <  *)  A  (flag[ji ]  >  2)  A  stay  A  (j't  <  ;,)]  ) 

The  first  clause  of  the  compact  transition  relation  represents  a  successful  completion 
of  the  test,  which  runs  for  j,  ranging  from  0  to  ?  —  1.  P[i]  moves  to  ( io-  The  second 
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clause  represents  the  case  that  j,  <  i  and  the  current  j,  satisfies  flag[j,\  <  2. 
Consequently,  the  process  increments  j{.  The  last  clause  represents  the  case  that 
the  current  j,-  does  not  satisfy  flag[ji]  <  2. 

•  Rio\i]  '■  (*  G  Lw)  A  move(i ,  10, 11)  A  (j-  =  i  +  1) 

The  activity  of  the  process  inside  the  critical  section  is  represented  by  the  single 
transition  that  moves  from  iw  to  i\\.  This  represents  the  commitment  that,  dif¬ 
ferently  from  the  non-critical  section,  the  activity  within  the  critical  section  must 
always  terminate.  Note  that  on  moving  to  i\\  we  reset  j,  to  i  +  1  to  initialize  the 
search  at  £u  to  start  from  that  value. 

•  ^n[*]  •  (*  €  Ln)A 

1  [(j«  =  n)  A  move(i,  11, 12)] 

V  [O',  <  n)  A  {flag[ji]  <  2  V  flag[jt]  >  3)  A  stay  A  (j'  =  jt  +  1)] 

V  V  [ (ji  <  n)  A  (2  <  flag[jx]  <  3)  A  stay  A  (j[  <  ;,•)] 

The  first  clause  of  this  compact  transition  relation  corresponds  to  a  successful 
termination  of  the  test.  Consequently,  P[i]  moves  to  ^12.  The  second  clause  cor¬ 
responds  to  the  case  that  j,  <  n  and  flag[jt ]  <  2  V  flag[ji\  >  3.  Consequently, 
process  P[i]  moves  to  the  next  value  of  jt.  The  third  clause  corresponds  to  the 
case  that  2  <  flag[jt]  <  3,  and  therefore  j,  is  reset  to  any  value  not  exceeding  its 
current  value. 

•  #i2[z]  :  {i  €  Z/12 )  A  move(i,  12, 0)  A  (flag'[i]  =  0) 

Process  P[i }  moves  from  in  to  the  location  at  which  the  main  loop  restarts  another 
execution  of  its  body,  while  resetting  flag[i]  to  0. 

4  Invariance  Properties 

For  an  assertion  p,  we  say  that  p  is  (generally)  valid ,  and  write  |=  />.  if  p  is  true  on  all 
possible  states.  All  the  known  tautologies  and  theorems  of  the  predicate  calculus  are 
obviously  valid. 

We  say  that  the  assertion  ji  is  valid  over  the  prograrn  P  (also  described  as  being 
P- valid),  and  write  P  }=  p,  if  p  holds  over  all  the  C- accessible  states. 

Clearly,  if  the  assertion  p  is  7J- valid  it  is  an  invariant  property  of  the  program  I’. 
That  is,  it  holds  over  all  the  states  that  can  arise  in  any  computation  of  the  program  P. 

In  this  section  we  present  several  proof  rules  that  are  adequate  for  proving  the  in¬ 
variance  of  an  assertion  p  over  a  program  P,  i.e.,  proving  P  |=  p. 

We  will  illustrate  these  rules  by  proving  the  main  properties  of  the  program  mutex. 
To  facilitate  the  expression  of  properties  for  thia  program,  we  introduce  the  following 
notation: 
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for  i  <  k 


Ni  =  \Lt\ 

. «m  =  . ■ml  =  A,,  +  N  ,2  +  ...  +  Nlm 

N,..k  =  =  A,  +  A^.+i  +  •••  +  Nk 

The  main  invariance  property  of  the  program  mutex  can  be  expressed  by  the  asser¬ 
tion  N !o  <  1.  This  assertion  limits  the  number  of  processes  that  can  be  concurrently 
executing  at  fi0,  which  corresponds  to  the  critical  section,  to  be  at  most  1.  Thus,  we 
have  to  prove 

P\=(NW<1) 

for  the  mutex  program. 

Since  most  of  our  reasoning  is  done  within  the  P-validity  framework,  we  omit  the 
prefix  “P  |=’’  and  simply  write  p  to  mean  P  |=  p.  The  only  exception  to  this  convention 
are  rules  that  deal  at  the  same  time  with  both  general  and  P-validity,  such  as  the  imp 
rule  presented  below. 

IMP 

(Import)  rule:  (|=  p)  P  (P  |=  p). 

This  rule  states  that  if  the  assertion  p  is  generally  valid,  it  is  in  particular  P-valid.  It  is 
used  to  import  general  validities  into  the  P-validity  framework. 

MP 

(Modus  Ponens)  rule:  {p  — >  f/,p}  P  <7. 

This  rule  infers  the  P-validity  of  q  from  the  P-validity  of  p  — *  q  and  q. 

The  above  two  auxiliary  rules  are  independent  of  the  particular  program  analyzed. 
The  following  inv  rule  refers  to  the  elements  of  the  program,  and  is  the  main  working 
tool  for  establishing  invariance  properties. 

The  rule  uses  a  special  case  of  a  particular  formula,  to  which  we  refer  as  the  verifi¬ 
cation  condition  of  the  transition  r,  relative  to  the  assertions  p  and  q.  This  formula  has 
the  form 


(p  A  Pt)  -»  q' 

In  this  formula,  pT  is  the  transition  relation  corresponding  to  r,  and  q\  the  primed 
version  of  the  assertion  r/,  is  obtained  from  q  by  replacing  each  variable  occurring  in  q  by 
its  primed  version.  Let  s  and  s'  be  two  states.  Since  pT  holds  over  the  joint  interpretation 
(s,s')  iff  .s'  is  a  r-successor  of  s ,  and  q’  states  that  q  holds  over  s',  it  is  not  difficult  to 
see  that 

If  the  verification  condition  (p  A  pr)  — >  q'  is  P-valid,  then  every  r-successor 
of  a  p-state  is  a  (/-state. 
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The  inv  rule  is  given  by 


INV 


11.  <p^p 

12.  0  ->  P> 

13.  (y>A  pr) 
p 


P>'  for  every  rgT 


The  inv  rule  uses  an  auxiliary  assertion  p>  which,  by  premise  12,  holds  initially,  and 
by  premise  13  is  propagated  from  each  state  to  its  successor.  This  shows  that  is  an 
invariant  of  the  program,  that  is,  it  holds  continuously  over  all  computations  of  P.  Since, 
by  II,  the  assertion  p>  implies  p,  it  follows  that  p  is  also  an  invariant  of  the  program. 

Example  Consider  the  trivial  program  with  a  single  state  variable  x,  the  pre-condition 
x  =  0,  and  a  single  transition  r  whose  transition  relation  is  given  by  pT  :  x'  =  x  +  1. 
Observe  that  this  program  has  a  single  infinite  computation,  given  by 

(x  :  0),  (x  :  l),<x  :  2),... 

We  wish  to  prove  for  this  program  the  trivial  invariance  property 

x  >  0. 

To  prove  this  property,  we  use  the  inv  rule  with  p  =  :  (x  >  0).  The  rule  requires 

showing  the  validity  of  the  following  three  premises: 

11.  (x  >  0)  ->  (x  >  0) 

12.  (x  =  0)  — >  (x  >  0) 

13.  ((x  >  0)  A  (x'  =  x  +  1 ) }  — >  (x'  >  0) 

Clearly  all  the  three  premises  are  generally  valid,  which  establishes  the  invariance  of 
x  >  0. 

We  proceed  to  establish  several  invariants  for  the  program  mutex,  which  together 
will  yield  the  desired  result. 


Simple  Invariants 

First,  we  establish  a  list  of  invariants  that  connect  for  each  i  =  0, ...,  n  —  1  the  location  of 
P[i]  with  the  value  of  flag[i].  To  facilitate  the  expression  of  these  invariants,  we  define 

Pk  -  {*  |  0  <  i  <  n  ,  Jlag\i)  =  k). 

Thus,  Ffc,  for  k  =  0,...,4.  denotes  the  set  of  indices  i  such  that  flag[i }  =  k.  W’e  also 
recall  the  abbreviations 
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for  i  <  k 


. ,m  =  FtlUF,2U...UF,m 

Fi.. k  =  Fi  U  Ft+1  U  ...  U  Fk 

Using  these  notations,  the  invariants  relating  the  location  of  processes  to  their  flag 
values  can  be  expressed  as  relations  between  F k  and  LT  for  various  values  of  r  and  k. 


IFO.  Fq  =  Lq  2 

IFl.  F\  —  Z/34 

IF2.  F2  F  Z/78 

IF3.  F3  C  Z/5,6,8 

IF4.  F4  =  F/9..12 


IL5.  L5  C  F3 
IL6.  L6  C  F3 
IL7.  L7  C  F2 
IL8.  L&  C  ^2,3 


The  invariants  IF0,...,IF4  restrict  the  locations  at  which  F[z]  can  reside  when  the  value 
of  flag[i\  is  0,  respectively.  For  example,  the  invariant  IF4  claims  that  the  value  of 
flag[i ]  is  4  iff  P[i }  is  at  one  of  the  locations  Z9,  ...ffw  The  invariants  IL5,. . .  ,IL8  restrict 
the  value  of  flag[i]  while  P[i]  is  at  the  locations  £5, . . . ,  fs,  respectively.  For  example, 
the  invariant  IL8  claims  that  when  P[z]  is  at  Z8  its  flag  value  must  be  2  or  3.  This  is  the 
only  location  in  the  program  in  which  the  value  of  the  flag  is  not  uniquely  determined. 

Let  us  see,  for  example,  how  an  invariant  such  as  IFl  is  established.  To  prove  F\  = 
Z/34,  we  actually  prove 

(i  €  Fi)  <-+  (1  e  Z-3,4), 

for  every  i  =  0,...,n  —  1.  We  apply  the  inv  rule  with  p  =  F  :  (i  €  Fi)  {i  €  L3A). 
There  are  three  premises  to  verify. 

Premise  II  is  trivial  since  F  =  p  for  our  case.  Premise  12  requires  showing  that  0 
implies  Fj  =  L3A.  It  is  not  difficult  to  see  that  0  actually  implies  F\  =  L3A  =  <j>,  since 
initially  there  are  no  processes  whose  flag  value  is  1,  and  there  are  no  processes  residing 
at  either  Z3  or  £4. 

The  premise  that  requires  more  attention  is  premise  13.  Here  we  are  called  for  writing 
a  separate  implication  of  the  form  (<rl  A  pT)  — >  g>',  for  every  transition  r  in  the  program. 
There  are  some  simple  heuristics  that  let  us  discard  immediately  many  transitions  as 
automatically  guaranteed  to  preserve  '•p.  The  simplest  and  most  effective  one  is: 

All  transitions  that  do  not  modify  any  of  the  variables  on  which  F  depends 
are  guaranteed  to  preserve  F- 

This  heuristic  leads  immediately  to  the  conclusion  that,  for  the  assertion  F\  =  Z3,4,  we 
should  only  be  concerned  with  the  following  transitions  that  we  consider  one  by  one  (we 
represent  the  transitions  by  the  unique  locations  with  which  they  are  associated): 

(2 [*]  -  The  transition  relation  for  this  transition  implies  (?’  €  Iff)  A  (?  €  F(),  since  it 
causes  P[i\  to  move  to  Z3  and  sets  flag[i]  to  1.  Consequently,  it  implies  F'- 
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Cj[f]  -  Even  though  this  transition  can  potentially  modify  both  L3  and  L4,  it  does  it 
in  a  way  that  preserves  L34.  Consequently,  the  transition  relation  implies  ( F[  = 
E\)  A  (^34  =  C3i4),  which  ensures  that  y?  is  preserved. 

d4[i]  -  The  corresponding  transition  relation  implies  2  (£  F[  (the  transition  sets  flag[i] 
to  3),  and  i  ^  L34  (the  transition  leaves  f4).  Consequently,  F  is  established,  as 
both  sides  of  the  equivalence  become  false. 

It  is  clear  that  these  are  the  only  transitions  that  modify  any  of  the  variables  on  which 
tr’  depends. 

We  conclude  that  (i  6  f\)  <-►  (i  £  L34)  is  an  invariant  assertion,  and  therefore  so  is 

Fi  =  L3,4. 

Proving  Mutual  Exclusion 

Having  prepared  the  machinery  for  proving  invariance  properties,  we  may  proceed  to 
establish  the  main  invariance  property  of  the  mutex  program,  namely,  that  of  mutual 
exclusion. 

We  refer  the  reader  to  [SzySS]  for  a  detailed  explanation  of  the  basic  ideas  on  which 
the  mutex  program  is  based.  Here  we  extract  just  the  main  observations.  The  tortuous 
path  a  process  has  to  follow  on  its  way  from  the  non-critical  section  at  C  to  the  critical 
section  at  fio,  can  be  partitioned  into  several  segments.  We  refer  to  the  location  f4  as  the 
doorway ,  to  the  section  as  the  waiting  room  and  to  the  section  f8..i2t  which  contains 
the  critical  section  as  the  inner  sanctum. 

The  basic  claims  on  which  mutual  exclusion  is  based  are  the  following: 

Cl.  Whenever  a  process  enters  an  empty  inner  sanctum,  i.e.,  L S..12  changes  its  value 
from  empty  to  non-empty,  the  doorway  is  locked,  i.e.,  L4  =  <p.  The  doorway 
remains  locked  until  the  last  process  leaves  the  inner  sanctum.  This  implies  the 
invariant 

Ho  :  (Es..i2  7^  0)  {Li  =  0), 

which  claims  that  if  Ls.12  is  non-empty  then  L4  must  be  empty.  If  we  believe  this 
to  be  a  true  invariant,  then  the  fact  that  L8..i2  is  non-empty  should  prevent  any 
new  processes  coming  to  (■>  to  cross  over  into  f4.  The  only  thing  that  can  prevent 
processes  from  crossing  over  is  if  flag[j]  of  some  process  equals  3  or  1.  I  bus,  we 
must  also  have 

Hi  :  (/'S..12  7^  d>)  (Eg.. 12  C  /'3i4  ^  0). 

Note  that  we  require  that  one  of  the  processes  in  Cs.  12  has  a  flag  value  of  3  or  1. 
This  is  because  a  flag  value  of  3  which  is  held  by  a  process  at  /*,<;  is  unstable  in  the 
sense  that  it  may  very  soon  change  to  1  again,  by  the  statement  at 
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C2.  If  a  process  i  is  at  ^io..i2,  then  it  must  be  the  minimal  (having  the  least  index)  of 
all  the  processes  in  This  is  expressed  by  the  invariant 

A2  ■  ({k  <  1 )  A  (i  E  T10..12))  —*  {k  Z/5..12). 

C3.  If  some  process  is  at  ^12 ,  then  all  the  processes  in  ^..12  must  have  a  flag  value  of  4. 
This  is  expressed  by  the  invariant 

A3  :  ((?■  E  L12)  A  (k  E  T5..12))  —* ”  {k  €  T4). 

Thus,  as  soon  as  a  process  enters  the  inner  sanctum  the  doorway  gets  locked.  This  leaves 
the  processes  in  the  waiting  room  and  the  inner  sanctum  isolated  from  the  rest  of  the 
processes  and  lets  them  compete  for  the  entry  to  the  critical  section.  By  claim  C2.,  only 
one  process  at  a  time  can  reside  in  the  region  ^10. .12  which  includes  the  critical  section 
-  the  process  whose  index  is  minimal  among  all  the  processes  in  £5. .12-  It  follows  that 
mutual  exclusion  is  maintained. 

If  we  were  working  in  a  framework  such  that  the  compound  tests  are  considered 
atomic,  then  the  conjunction 


P 0  A0  A  A\  A  .42  A  A3 

could  have  been  shown  to  be  invariant  from  which,  by  A2,  mutual  exclusion  would  have 
followed. 

Unfortunately,  we  have  to  deal  with  molecular  tests,  which  require  an  extension  to  the 
above  list  of  invariants.  Consider  any  region  of  consecutive  locations  that  is  mentioned  in 
one  of  the  previous  invariants,  and  which  is  preceded  by  a  compound  test.  For  example, 
£10..  12  is  such  a  region,  where  the  relevant  compound  test  is  the  one  at  ig.  The  assertion 
A2  states  that  if  k  <  i  and  i  belongs  to  T10..12,  then  k  cannot  be  in  Lh..n-  In  the  atomic 
case,  one  of  the  considerations  used  in  proving  this  assertions  is  that  P[i]  cannot  pass 
the  atomic  test  at  ig  if  k  <  i  is  anywhere  at  This  is  because  the  simple  invariants 

connecting  flag  values  to  locations  imply  that  flag[k\  >  2  while  P[k]  is  at  t5.. 12- 

In  the  molecular  case,  the  test  at  tg  is  not  passed  in  one  step.  Process  P[i]  may 
reside  at  £9  for  several  steps,  checking  the  values  of  flag[jt\  for  various  values  of  j,.  The 
important  question  concerning  k ,  is  whether  P[i]  has  already  tested  the  value  of  flag[k). 
This  can  be  observed  by  checking  whether  ji  >  k.  If  jx  is  greater  than  k,  then  we  know 
that  the  value  of  flag[k]  has  already  been  tested  and  found  satisfactory,  i.e..  smaller 
than  2. 

Consequently,  to  adapt  the  assertion  A2  to  the  molecular  case,  we  should  replace 
the  simple  region  reference  i  €  £10. .12.  appearing  there,  by  the  extended  reference  i  t 

L  10..12  V  (i  E  L9  A  j,  >  k).  By  applying  such  range  extensions  to  the  assertions  .4o . *U. 

we  obtain  the  following  assertions: 
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B0: 
B i  : 
B2  : 
53: 


(*'  €  I5  A  j,  >  A)  -»  ->[(A  £  I„)  V  (A  £  I3  A  j*  >  ?’ 

(f  €  Is. .12)  3r  :  (r  €  Is. .12  C  I3 4)  •  -1  (A*  €  I4)  V  (A  £  I3  >  r 

[(A  <  i)  A  (?’  £  I10..12  V  (i  £  I9  A  j,  >  A))j  — *  (A  £  I5..12) 

(i  £  I12  V  (z  £  In  A  j,-  >  A'))  A  (A  £  I5..12 )]  — *  (A’  £  I4 ) 


Assertions  P0  and  B\  refine  together  assertions  ,40  and  A\  to  the  molecular  case.  Th° 
basic  idea  is  to  show  for  any  A  that  if  P[i]  is  either  at  f8..i2  or  at  f5  with  j,  >  A.  i.e., 
having  already  checked  flag[ A],  then  P[k]  cannot  be  at  f4,  and  if  it  is  at  C3.  then  it's 
jk  value  is  below  some  r  that  blocks  it  from  proceeding  into  (4,  by  having  flag[r ]  >  2. 
If  P[i]  is  at  C5,  we  can  take  r  to  be  i  itself.  If  P[?)  is  at  £8..i2«  we  can  only  claim  the 
existence  of  such  a  blocking  r,  such  that  P[r]  is  also  at  fg  l2  and  flag[r ]  >  2. 

We  form  now  the  conjunction 

V5  •  Bq  A  B\  A  B2  A  B3 
and  claim  that  it  is  an  invariant  of  the  program  mutex. 

It  is  beyond  the  scope  of  this  paper  to  consider  all  the  transitions  and  show  that  each 
preserves  p.  We  will,  however,  consider  some  of  the  more  interesting  cases. 

Consider,  for  example,  what  transitions  may  possibly  affect  the  assertion  Bx.  A 
critical  transition  of  P[i]  is  the  one  that  moves  from  to  ($.  However  due  to  B0 ,  the 
right  hand  side  of  the  implication  of  B\  will  hold  after  the  transition  with  r  =  i  and 
(due  to  IL5)  flag[i]  =  3.  Another  potentially  critical  transition  of  A  is  the  one  that 
increases  jk  beyond  r.  However,  due  to  flag[r]  >  2,  such  a  transition  is  disabled.  For 
this  argument  to  hold  it  is  essential  that  the  indices  j  in  (0  are  scanned  in  increasing 
order. 

Lastly,  we  consider  the  transition  of  P[?-j  from  C\2  to  while  resetting  its  flag  value 
to  0.  There  are  two  possibilities.  If  r  is  the  last  process  in  then  after  the  transition 
Is. .12  will  become  empty,  causing  Bx  to  hold  trivially.  If  r  is  not  the  last,  there  exists 
another  process,  say  P\t]  in  Cb  12.  Then,  due  to  B2,  which  states  that  r  is  the  minimal 
process  in  As. .12,  r  must  be  smaller  than  t.  Therefore,  if  jk  <  r  it  is  also  <  t.  Due  to 
Bo,  flag[t\  equals  4.  Consequently,  after  the  transition,  B\  still  holds  if  we  use  t  as  a 
substitute  for  r. 


5  Response  Properties 

Next  to  be  considered  is  the  class  of  response  properties.  The  typical  response  property 
is  expressed  by  the  formula 

p  =^Or/. 
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for  assertions  p  and  q.  A  sequence  of  states  er  is  said  to  satisfy  the  response  formula 
p=^Oq  if  every  p-position  i  >  0,  is  followed  by  a  (/-position  j  >  i.  Such  a  response 
formula  is  said  to  be  valid  over  the  program  P  (also  called  P-valid),  denoted  by  P  |= 
(p=$~Oq),  if  all  the  computations  of  P  satisfy  the  formula.  This  means  that  every 
occurrence  of  (a  state  satisfying)  p  in  the  execution  of  P,  is  followed  by  an  occurrence 
of  q.  We  will  often  omit  the  prefix  P  \=  when  stating  the  validity  of  a  response  formula 
over  P. 

The  temporal  logic  adepts  will  recognize  =4-0  as  the  combination  of  the  two  operators 
=4-  and  O  (see  for  example  [MP89a]).  However,  for  our  purpose  here  it  suffices  to  view 
it  as  a  single  binary  temporal  operator,  whose  semantics  has  been  defined  above.  It  is 
very  similar  to  the  leads-to  operator  of  Unity  ([CM8S]). 

The  following  axioms  and  rules  identify  the  basic  properties  of  the  response  operator 

=t-o. 


RFLX 

(Reflexivity)  axiom: 


p=4-0p 


This  axiom  expresses  the  fact  that  every  p-position  is  trivially  followed  by  a  p-position, 
namely  itself. 

TR.NS 

(Transitivity)  rule: 

{p=^0(7  ,  q=$*-Or)  b  p=t-Or 

This  rule  states  the  transitivity  of  the  response  operator.  It  claims  that  if  every  p- 
position  is  followed  by  a  (/-position,  and  every  (-/-position  is  followed  by  an  r-position. 
then  certainly  every  p-position  must  be  followed  by  an  r-position. 

MON 

(Monotonicity)  rule: 

{p=^Oq  ,  P  ->  P  ,  q  -+  q}  h  f)=^Oq 

This  rule  allows  us  to  replace  in  a  valid  response  formula  the  antecedent  p  by  a  stronger 
assertion  p,  and  the  consequent  q  by  a  weaker  assertion  q ,  and  obtain  another  valid 
formula. 


DISJ 

(Disjunction)  rule: 

{p  =^Or  ,  i/4-Or}  h  (p  V  </)4>-Or 

This  rule  combines  the  two  response  formulae.  p=^Or  and  q  =^Or.  into  the  formula 
(p  V  q)=$~Or.  It  allows  us  to  prove  the  last,  formula  by  separately  considering  the  case 
that  p  holds  and  the  case  that  q  holds.  In  this  way  it  supports  proof  by  case's. 
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The  Basic  Response  Rule 


The  axiom  xnd  three  rules  listed  above  are  independent  of  the  particular  program  ana¬ 
lyzed,  and  describe  the  basic  properties  of  the  response  operator.  We  now  present  a  rule 
that  enables  us  to  establish  the  validity  of  a  response  formula  over  a  program. 

The  rule  singles  out  a  particular  transition  rh,  to  which  we  refer  as  the  helpful  tran¬ 
sition.  It  can  establish  response  formulae  p=^Oq,  such  that  a  single  activation  of  the 
transition  77,  is  sufficient  to  achieve  q.  We  therefore  refer  to  this  rule  as  t  he  basic  or  single 
step  response  rule. 


RESP  Rl. 

P  ->  (q  V  v?) 

R2. 

(  Pt 

A  <p)  — *  (q1  V  <p')  for  every  r  £  T 

R3. 

( Prt 

A  v5)  -» q' 

R4. 

- 

■*  (q  V  En(rh)) 

p^-Oq 

Premise  R1  ensures  that,  p  implies  q  or  <P.  Premise  R2  states  that  any  transition  of  the 
program,  either  leads  from  'P  to  q ,  or  preserves  Premise  R3  states  that  the  helpful 
transition  77 ,  leads  from  9  to  q.  Premise  R4  ensures  that  77,  is  enabled  as  long  as  y  holds 
and  q  does  not  occur. 

It  is  not  difficult,  to  see  that  if  p  happens,  say  at  position  i  >  0,  but  is  not  followed 
by  a  q ,  then  must  hold  continuously  beyond  this  position,  and  the  helpful  transition 
Tk  is  never  taken  beyond  ?.  The  latter  fact  follows  from  premise  R3,  which  states  that 
taking  77.  from  a  Estate  immediately  leads  to  a  (7-state,  contradicting  the  assumption 
that  q  never  happens  beyond  1.  However,  due  to  R4.  this  means  that  ~i,  is  continuously 
enabled  but  never  taken  beyond  position  1,  which  violates  the  requirement  of  justice  for 

T;, 

Example 

We  will  illustrate  the  application  of  this  rule  on  the  following  program. 

out  x,y  :  integer  where  x  —  0  ,  y  =  0 


do  :  while  x  =  0  do 

IV  0  ■  ■' 

r  :  = 

1  " 

!\  :: 

[(\  :  V  :=  V  +  1] 

II  1’f.: 

'"1  : 

_  (2  : 

This  program  consists  of  two  processes,  P\  and  Pi  Process  l\  rontirmooslv  incre¬ 
ments  y  while  wait  ing  for  x  to  become  non-zero.  Process  If  consists  of  a  single  statement . 
assigning  1  to  x 
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The  response  property  we  wish  to  establish  for  this  program  is  that  of  termination. 
It  can  be  expressed  by  the  formula 


(at-l0  A  at_mQ)  =^0(at-l2  A  at-mx), 

that  states  that  the  event  of  being  at  the  beginning  of  the  program  {at_l0  A  at_m0)  is 
eventually  followed  by  the  event  of  being  at  the  end  of  the  program  (at_f2  A  at„m\). 

This  property  is  established  by  a  sequence  of  lemmas,  each  applying  one  of  the  rules 
presented  above. 

Lemma  1  (.r  eventually  set  to  1) 

(a<_f0  A  af_m0)  =4-0 (at  Jo,i  A  A  (x  —  1 )) 

This  lemma  claims  that  eventually  the  variable  x  is  set  to  1  by  the  process  P2,  which 
then  moves  to  mj.  When  this  happens,  process  Pi  is  still  executing  within  the  loop 
region  £0il. 

To  prove  the  lemma  we  choose 

p  :  at-£ o  A  af_m0 

V7  :  at-£ o.i  A  at_m0  A  (.r  =  0) 

Th  •  Ano 

q  :  at-l o,i  A  at_mi  A  {x  =  1) 

and  apply  the  resp  rule. 

It  is  not  difficult  to  see  that  p  implies  provided  we  prove  first  the  obvious  invariant 
at _m0  — >  (x  =  0).  It  is  also  clear  that  taking  rmo  from  a  V’-state  leads  to  a  state  satisfying 
<7,  and  taking  any  other  transition,  i.e.,  T(0  or  77, ,  preserves  Obviously  V7  implies  that 
r„,0  is  enabled. 

Lemma  2  (From  £0  to  (2) 

[at-t 0  A  at-mi  A  (x  =  1))  =4-0 (at_f2  A  at-riii ) 

Follows  from  the  resp  rule,  by  taking  P  =  p  and  t/,  =  T(0. 

Lemma  3  (From  0  to  £ 0 ) 

(at-£x  A  at-rrii  A  (x  —  1 ))  =4-0(nf  _f 0  A  at-in\  A  (x  =  1 )) 


Follows  from  the  resp  rule,  by  taking  P  =  p  and  r/t  =  t(]  . 

Lemma  4  (From  0  to  f2) 

(at-C.  1  A  at. 1  A  (.r  =  1 ))  =4-0 (a/._f2  A  «/_??»! ) 
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Follows  by  transitivity  (rule  trns)  from  Lemma  3  and  Lemma  2. 

Lemma  5  (From  £0,i  to  ( 2 ) 

(at_f o,i  A  a<_n?i  A  (.r  =  1 ))  =$-0(at_f2  A  aLm.]) 

Follows  by  the  disj  rule  from  Lemma  4  and  lemma  5,  using  the  equivalence 

(ai_f0, l  A  at_mi  A  (,r  =  1))  = 

((at_f0  A  at_mi  A  (.r  =  1))  V  (at_G  A  at-m,\  A  (x  =  l))j. 


Lemma  6  (From  {f0!mo}  to 

[at  A o  A  at_m.0)  =^0(nt_{'2  A  at^m\) 

This  lemma  which  establishes  the  termination  property  follows  by  the  trns  rule  from 
Lemma  1  and  Lemma  5.  a 

The  Well-Founded  Rule  for  Response 

The  basic  response  rule  supports  the  proof  of  response  properties  which  are  established  In' 
a  single  helpful  step.  As  we  have  seen,  even  the  simple  example  above  requires  several 
helpful  steps  to  achieve  its  goal,  i.e.,  termination.  When  the  number  of  helpful  steps 
required  is  small  and  fixed  we  can  use  a  sequence  of  lemmas,  each  considering  a  single 
helpful  step,  and  then  combine  their  results  by  transitivity  and  case  splitting.  However, 
for  the  case  that  a  large  and  a  priori  unknown  number  of  helpful  steps  is  required,  we 
introduce  below  a  more  powerful  rule  that  uses  well-founded  induction  to  combine  the 
helpful  steps. 

We  define  a  well-founded  ( embedded )  structure  [A,  B,y)  to  consist  of  the  following 
components. 

•  A  -  A  set  of  elements. 

•  B  -  A  subset  of  A. 

•  > —  A  binary  relation  on  A,  whose  restriction  to  B  is  well  founded.  That  is,  there 
does  not  exist  an  infinite  sequence  of  elements  of  B ;  0O,  fli, . . . ,  such  that 

A)  y  Ih 

A  typical  example  of  a  well-founded  embedded  structure  is  (lnt,Arat,  >),  where  X hi  are 
the  integers  (including  the  negative  ones),  A fit  are  the  natural  numbers  (including  0), 
and  >  is  the  greater  than  relation.  Clearly,  >  is  defined  over  all  the  integers  but  is  well 
founded  only  over  the  natural  numbers. 

Given  two  well-founded  structures,  (Ao,  #o,  >^o)  and  {A\,B\,  >-i),  we  can  form  their 
lexicographical  product  {A,B,y).  defined  by 
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•  A  is  defined  as  Ao  x  A\,  i.e.,  the  set  of  all  pairs  (a0,c*i),  such  that  a0  G  Ao  and 

€  A]. 

•  B  is  defined  as  Bq  x  B\. 

•  X  is  defined  to  hold  between  (a0,<ai)  G  A  and  (a^aj)  G  A  iff 

(q0  X-  a'0)  V  [(a0  =  Qq)  A  (qi  X-  aj)] 

It  is  not  difficult  to  prove  that  the  lexicographical  product  of  two  well-founded  structures 
is  also  a  well-founded  structure. 

For  an  arbitrary  binary  relation  over  A ,  we  define  its  reflexive  extension  y  to  hold 
between  a,  a'  G  A  if  either  a  =  a'  or  a  X-  a'. 

The  following  rule  uses  several  intermediate  assertions  that  hold  at  the  positions  lying 
between  the  position  satisfying  p  and  the  position  satisfying  the  goal  q.  We  denote  these 
assertions  by  V3,-,  where  i  ranges  over  some  finite  index  set  X,  and  denote  their  disjunction 
by  9  =  \J  y,-  Each  intermediate  assertion  V3,  is  associated  with  a  transition  r,  G  X,  that 
<€T 

is  identified  as  helpful  for  V3,. 

The  rule  also  requires  the  identification  of  a  distance  function  <5t,  for  each  i  G  X. 
These  functions  map  the  states  into  the  set  A  of  a  well-founded  structure  {A,B,  X-).  The 
intended  meaning  of  these  functions  is  that  they  measure  the  distance  of  the  current 
state  from  the  closest  state  that  satisfies  the  goal  q  of  the  formula  p=yOq  which  is  the 
conclusion  of  the  rule.  We  refer  to  the  value  of  the  distance  function  6,  at  a  state  satisfying 
V3,-  as  the  i-rank  of  that  state,  or  simply  as  the  rank  of  the  state  if  i  is  understood  from 
the  context. 

Assuming  that  these  constructs  have  been  identified,  the  following  rule  establishes 
the  P- validity  of  the  formula  p=yOq. 


WELL  W  1 . 

p  ->  [q  v  v3) 

The  following  premises  should  hold  for  each  ?  G  X 

W2. 

for  every  r  G  T 

(Pt  a  v3,)  — >  (if  V  A  (6,  X-  <$')]  V  [v3'  A  (<5,  =  £•)]) 

W3. 

(hr,  A  <Pi)  — y  [q'  V  A  (6,  X-  d')]) 

W4. 

V3,  ->  [q  V  (X7r(r,)  A  (6,  G  B ))) 

p  =y-Oq 

Premise  W1  requires  that  p  implies  that  either  q  already  holds,  or  the  intermediate 
assertion  v3  (i.e.,  one  of  the  yVs)  holds.  Premise  W2  requires  that  taking  any  transition 
from  a  y, -state  results  in  a  next  state  which  either  satisfies  <7,  or  satisfies  y3,.  for  some 
j  G  X,  and  has  a  (j-)  rank  lower  than  that  of  the  original  state,  or  satisfies  y"’,  and  has 
an  equal  rank.  Premise  W3  requires  that  taking  the  helpful  transition  r,  from  a  y, -state. 


results  in  a  next  state  which  either  satisfies  q ,  or  satisfies  some  P:  with  a  lower  rank. 
Premise  W4  requires  that  any  state  s  satisfying  p,  either  satisfies  q ,  or  is  such  that  r,  is 
enabled  on  it,  and  the  Trank  of  s,  6,(s),  assumes  a  value  in  B. 

Assume  that  all  the  four  premises  hold.  Consider  a  computation  a  and  a  position  m 
that  satisfies  p.  We  wish  to  prove  that  some  later  position  satisfies  q.  Assume  to  the 
contrary  that  all  positions  later  than  m  (including  m  itself)  do  not  satisfy  q.  By  W2  each 
of  these  positions  must  satisfy  some  p:  and,  according  to  W4,  the  value  of  for  this 
position,  to  which  we  refer  as  the  rank  of  the  position,  lie  within  B.  By  W2,  the  value 
of  6j  can  either  decrease  or  remain  the  same.  By  the  assumption  that  X  is  well  founded 
over  B ,  the  value  of  8j  can  actually  decrease  only  finitely  many  times.  Therefore,  there 
must  exist  some  position  k  >  m,  beyond  which  8}  never  decreases. 

Assume  that  Pi  is  the  assertion  holding  at  position  k.  Since  q  is  never  satisfied  and  bj 
never  decreases  beyond  position  k,  it  follows  (by  W2)  that  p,  holds  continually  beyond 
k.  By  W3,  T,  cannot  be  taken  beyond  k,  because  that  would  have  led  to  a  position 
satisfying  q  or  to  a  decrease  in  6.  By  W4,  r,  is  continually  enabled  beyond  k  yet,  by 
the  argument  above,  it  is  never  taken.  This  violates  the  requirement  of  justice  for  r,.  It 
follows  that  if  all  the  premises  of  the  rule  hold  then  p=^-Oq  is  P- valid. 

In  many  cases,  we  may  use  the  same  ranking  function  8  for  all  i  E  1.  We  refer  to 
these  as  the  case  of  uniform  ranking  function.  In  these  cases  it  is  possible  to  use  a  simpler 
form  for  the  premises  W2  and  W3,  which  is  given  by: 

W2.  for  every  r  E  T 

(pr  A  Pi)  ->  ( q '  V  \P'  A  [8  y  6')]  V  [p\  A  (8  =  <5')]) 

W3.  (pr,  A  Pi)  >  (q1  V  \p'  A  (8  P  <$*)]) 

Proving  Accessibility 

The  main  response  property  one  usually  wishes  to  prove  for  mutual  exclusion  programs 
is  that  of  accessibility ,  by  which  whenever  a  process  departs  from  its  non-critical  section 
it  is  guaranteed  to  eventually  reach  the  critical  section.  In  our  case  we  will  prove  a 
stronger  property  which  implies  accessibility.  The  property  we  will  prove  is 

(u  Ti)=^0(u  E  L\ ). 

This  property,  to  which  we  refer  as  the  hominy  property,  .dates  that  from  any  location 
away  from  the  non-critical  section,  each  process  P[u]  is  guaranteed  to  home  back  to 

the  non-critical  section.  Since  in  our  case,  when  a  process  just  departs  from  it  can 

return  to  i\  only  via  the  critical  section,  the  homing  property  implies  accessibility.  It  also 
guaiantees  that  processes  do  not  get  stuck  in  any  of  the  locations  following  the  critical 
section,  such  as  8n.  The  way  we  establish  the  homing  property  is  by  a  sequence  of 
lemmas,  each  showing  that  a  process  cannot  get  stuck  in  any  location,  except  perhaps  in 
the  non-critical  section.  The  lemmas  corresponding  to  locations  which  involve  no  tests. 
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such  as  AnAiA,  AnA,  Ao,  and  f]2,  are  trivial  and  will  be  omitted.  We  will  concentrate 
on  the  testing  locations. 

The  well-founded  structures  that  we  will  use  are  either  (Int,A!at,>),  or  the  lexico¬ 
graphic  products  of  such  structures. 

Lemma  1  (Not  Stuck  at  f9..12) 

(u  £  To.. 12)  =$-0(n  £  To) 

This  lemma  states  that  if  the  process  P[u\  is  anywhere  within  fg  .12,  it  will  eventually 
return  to  A- 

To  prove  this  lemma,  we  prove  first  two  auxiliary  lemmas. 

Lemma  1.1  (Evacuation  of  the  Waiting  Room) 

(u  £  Tg ,.i2)  ((«  £  To)  V  [( a  £  T9. .12)  A  (T5..8  =  <*>)]) 

This  lemma  states  that  if  P[u]  is  currently  at  A. .12  then  either  it  will  reach  (Q,  or 
prior  to  that,  the  computation  will  reach  a  state  in  which  P[u]  is  still  at  A..12,  but  the 
waiting  room  A. .8  is  empty. 

To  prove  this  lemma  we  use  the  following  intermediate  assertions,  uniform  distance 
function,  and  helpful  transitions: 

‘r(k.i)  ■  iu  £  T9..12)  A  (T.5..8  7^  <j>)  A  (?  £  Lk) 

8  :  ('1  •  A 5  +  3  •  Ac  +  2 • A7  +  Ag  ,  y~)  (n  —  ((w  —  jr)niod  n)) 

r:rg/.o  t:t£L: 

T(k,i)  ■  Ac[*] 

for  T  €  {5. .8}  and  1  £  {0..n  —  1}.  Thus,  we  use  for  the  index  set  J  the  set 

I  :  {(/,’,/)  |  k  £  {5..S}  .  i  £  {O..71  -  1}} 

Let  11s  convince  ourselves  that  taking  any  helpful  transition  decreases  the  distance  func¬ 
tion.  Clearly  a  movement  of  process  P[i j  from  any  location  in  the  range  A..s  to  any  other 
location  decreases  the  first  component  of  8.  For  example,  a  movement  of  P{i]  from  (,,  to 
f 7,  removes  i  from  Tr,.  where  it  has  a  weight  of  3,  and  adds  it  to  T -  with  a  weight  of  2. 
Consequently,  the  net  change  in  the  first  component  is  —1. 

Next,  let  us  consider  a  transition  that  involves  a  compound  test.  Consider,  for  exam¬ 
ple,  a  transition  of  process  P[i]  which  currently  resides  at  (5.  According  to  lh[>]  there 
are  three  possibilities.  The  first  possibility  is  that  P[i]  moves  from  A,  to  f8,  decreasing 
8  by  (3.0),  i.e.,  3  in  the  first  component  and  0  in  the  second  component.  The  second 
possibility  is  that  P[i]  moves  from  A  to  A,  decreasing  8  by  (1,0).  The  last  possibility  is 
that  j,  increases  by  1,  decreasing  8  by  (0,  1),  due  to  the  summand  n  —  j,  appearing  in 
the  second  component  of  8. 
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A  somewhat  more  subtle  argument  is  needed  for  the  consideration  of  the  transitions 
T7 [?] .  Here  there  are  two  possibilities.  Either  P[z]  moves  from  £7  to  £8.  or  jt  is  incremented 
modulo  n.  In  the  first  case  8  decreases  by  (1,0).  In  the  second  case,  we  have  to  show 
that  (( u  ~ji,)mod  n)  decreases.  First,  we  observe  that,  since  u  £  L 9  .12 .  flag[u]  =  4.  and 
therefore  the  test  at  £7  cannot  fail  for  j,  =  u.  We  conclude  that  the  second  possibility 
exists  only  if  j,  ^  u.  In  that  case  we  rely  on  the  property  of  the  integers,  by  which  if 
0  <  ji,  u  <  n  and  j ,  ^  a.  then 

((«  -  i«)mod  n)  >  ((u  -  (j,  -f  l))mod  ??). 

It  follows  that,  in  the  second  case,  8  decreases  by  (0, 1). 

Next  let  us  show  that  any  non-helpful  transition  cither  establishes  u  £  L0,  or  at  least 
preserves  E(fc,t)  and  6.  Clearly,  this  is  true  for  t12[u].  The  only  other  transitions  that  may 
be  suspected  ot  falsifying  <£(/.-,<)  or  increasing  8  are  those  that  may  cause  new  processes 
to  join  £5  8.  However,  due  to  the  assumption  u  £  I9  12  and  the  invariant  £i, .  there  are 
no  processes  at  £,,,  and  therefore,  no  new  processes  can  join  £5..8.  j 

Lemma  1.2  (Progress  within  the  Inner  Sanctum) 

[(n  £  T9..1 2 )  A  (L5..8  =  d>)]=4-0(?i  £  Lo) 

This  lemma  claims  that  if  now  there  is  no  pro'  esr  within  the  range  f5..8  then  process 
it  will  eventually  proceed  to  £0.  Of  /'  >’uoe,  for  that  to  happen,  all  the  processes  with 
lower  indices  must  arrive  to  £i0  first  and  depart  via  £J2. 

To  prove  the  lemma  we  use  the  folio. r;n<>  intermediate  assertions,  uniform  distance 
function,  and  helpful  transitions: 

E( k,i)  ■  («  €  £-9. .12)  A  (T5..8  =  <f>)  A  (1  £  Lk)  A  ( i  =  rnin4) 

8  :  ^4  •  Ng  +  3  •  N\o  J"  ■>  '  All  T  Nri2  1  n  ~  jmint  ) 

r(A.)  :  n[i] 

for  A-  £  {9..  12}  and  i  £  { 0. .7?  —  1},  and  where  mi?!.,  is  defined  to  be  the  minimal  element 
of  F4  =  Lgj >•  if  that  set  is  not  empty,  and  0  otherwise.  In  the  case  that  /.<).. u  is  not 
empty,  miv4  denotes  the  minimal  index  among  all  the  processes  currently  residing  at 
£9. .12  and  (consequently)  having  a  flag  value  of  4. 

It  is  not  difficult  to  see  that  the  process  with  the  minimal  index  is  always  enabled 
and  causes  a  decrease  in  the  value  of  the  distance  function,  whatever  transition  in  £9.12 
it  takes.  j 

We  may  now  return  to  the  proof  of  Lemma  1.  We  proceed  as  follows- 

1.  (u  £  /-o)  =t-0(»  £  L0)  by  RFLX 

2.  (^(u  £  /,<))  V  [(ti  £  Lg_ .12)  A  (  L.r>..s  =  C')])  "  £  I- 0) 

by  disj.  1.,  and  Lemma  1.2. 

3.  (u  £  L,}  12)  =t~0(«  £  Lq)  by  trns.  Lemma  1.1.  and  2. 


This  concludes  the  proof. 
Lemma  2  (Not  Stuck  at  (7) 


(u  £  L7)=^-<0’('u  £  Tg) 

To  prove  this  lemma,  vve  establish  first  an  additional  invariant,  using  the  inv  rule. 

B4  ■  {Lqj  7^  d>)  —*  (£3 ..5  U  L&..12  7 ^  d>) 

This  invariant  guarantees  that  if  there  is  some  process  in  the  region  7g,t-  then  there  is 
also  some  process  in  73..5  or  in  It  is  not  difficult  to  show  that  the  assertion  B4  holds 

initially  and  is  preserved  by  any  transition.  In  particular,  we  may  rely  on  S3  to  show 
that  no  process  can  leave  Ts..i2  while  TG,7  is  non-empty. 

Then  we  prove  two  auxiliary  lemmas. 

Lemma  2.1  (Entering 

( u  £  L7)=$-0({u  £  L7)  A  (Z/9..12  7 ^  <p)J 

Note  that  due  to  the  invariant  IF4,  the  set  L 9. .12  is  precisely  the  set  F4.  i.e.,  all  the 
processes  in  this  region  have  a  flag  value  of  4.  To  prove  the  lemma,  we  use  the  following 
intermediate  assertions,  distance  functions,  and  helpful  transitions: 


^(3,«) 

(a  £  L7)  A  (T9. ,i2  —  d>)  A  (L4.a,&  —  d>)  A  (i  £  L 3) 

<<W) 

(0  ■  AV0..3  +  4  •  Af,  +  3  •  A  5  +  2  •  A (?  +  A  §  .  n  —  ji  j 

T(3  ,«) 

r3[i] 

For  each  A’  £  {4. .6, 8} 

k,i) 

(u  £  L7)  A  (T9. .12  =  0)  A  (?  £  Tt) 

(b  •  A'o.,3  +  4  •  A4  +  3  •  A' 5  +  2  •  A,-,  -f  A  §  ,  n  — 

T(M 

r*[*1 

where  i  ranges  over  {(J.m  —  1}. 

As  we  see,  the  index  set  1  is  partitioned  into  the  two  subsets  {(3.  i)  |  i  £  {0..?;  —  1}}, 
and  {(Ay?)  |  k  £  {4. .6,8},?  £  {0..??  —  1}}.  The  transitions  corresponding  to  the  first 
subset  arc  considered  helpful  (as  we  see  from  v'(3,,))  only  when  Llc,s  is  empty.  This  is 
necessary  because  P[i]  is  guaranteed  to  progress  when  it  is  at  only  if  L4  s  is  empty. 
Otherwise,  the  test  at  f3  may  cause  j,  to  decrease,  or  at.  least  not  to  increase.  The 
invariant  B,\  is  used  to  establish  the  premise 

[u  £  L7)  ►  \J  <r{k -,i) ■ 

(A.)er 

Essential  to  the  proof  is  the  observation  that  some  process  can  move  from  (7  to 
only  if  /,<)  12  is  already  non-empty.  j 
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Lemma  2.2  (Escaping  (7) 

G  L7)  A  (Lg.j 2  7^  <^))  =$~0(u  €  Ts) 

To  prove  this  lemma,  we  use  the  following  single  intermediate  assertion,  single  dis¬ 
tance  function,  and  single  helpful  transition: 

r’u  :  (u  €  L7)  A  (T9. .12  7^  0) 

<5  :  (mm4  —  ju)mod  n 
ru  :  r7[ti] 

It  is  not  difficult  to  see  that  when  L9..12  7^  d>,  //«g[mm4]  =  4.  and  therefore  P[u]  will 
find  flag[ju\  —  4,  at  the  latest,  when  ju  =  min4.  j 

We  may  now  return  to  the  proof  of  Lemma  2.  By  transitivity,  we  may  combine  the 
results  of  Lemma  2.1  and  Lemma  2.2  to  obtain 

(u  £  Z,7)=^0(ri  G  Ts), 


as  claimed  by  Lemma  2.  -1 

Lemma  3  (Not  Stuck  at  (5) 

(u  €  La)  =yO(u  G  L$,s) 

This  lemma  is  easily  proven  by  taking 

*Pu  :  u  G  T  -, 

6  :  77  -  jfu 

A,  :  P;M 

Progress  in  the  execution  of  the  compound  test  at  fa  is  guaranteed  independently  of  the 
flag  values  encountered.  ji 

Lemma  4  (Not  Stuck  at  f3) 


( (/  G  L.‘, )  =>-42  ( i<  G  La) 

We  define  the  following  sets  of  process  indices 

La{j  >  /'  1 )  :  {/•  |  /•  G  T-s  ,  7V  >  Ti } 

Blocks  :  Ts..i2  U  L$(j  >  I'\) 

where  the  inequality  jr  >  F\  is  defined  to  hold  if  I\  is  non-empty  and  jT  is  greater  than 
any  element  of  F\.  Consequently,  if  L\  is  empty,  then  so  is  La(j  >  F\).  Note  that  by 
the  invariant  Bq  it  follows  that  if  Lr,{j  >  F\)  is  not  empty,  then  La  —  0,  which  implies 

F\  =  L3. 
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The  set  Blocks  represents  the  set  of  processes  that  may  potentially  block  the  progress 
of  any  processes  currently  at  £3  (including  P[u]).  Note  that  we  have  to  add  to  £s..u  also 
the  processes  that  are  in  £5  and  have  already  checked  flag[j]  for  all  j  G  F\.  This  is 
because  such  processes  may  potentially  move  to  £g.  On  the  other  hand,  processes  that 
are  in  £5  but  have  not  checked  flag[j ],  for  some  j  €  Pi,  can  only  move  to  f6- 

We  prove  the  following  auxiliary  lemmas. 

Lemma  4.1 

(u  G  Z/3)=^0((tf  G  L4 )  V  [( u  G  L3)  A  ( Ls(j  >  F\)  =  <j>)]) 

This  lemma  states  that  if  P[u]  is  currently  at  £3  then  either  it  will  reach  £4,  or  prior 
to  that,  the  computation  will  reach  a  state  in  which  P[u ]  is  still  at  £3,  but  no  process 
P[i]  is  currently  at  £5  with  j ,  >  Pi. 

To  prove  the  lemma,  we  use 

Pi  '■  (u  €  L3)  A  (i  G  Lg(j  >  Pi)) 

<5.  :  {\Ls(j  >  Fi)\  ,  n  -  ji) 

r,  :  r5[i] 

for  1  G  {0..n  —  1}.  Thus,  the  relevant  processes  are  those  that  are  at  and  have  already 
checked  flag[j],  for  every  j  G  Pi.  Note  that  no  new’  processes  can  join  L5(j  >  Pi)  since 
any  process  checking  flag[j],  for  some  j  G  F\  proceeds  immediately  to  £q.  j 

Lemma  4.2 

((u  G  L3)  A  ( L5(j  >  Fi)  =  <j)))  =$~-0  ((u  G  L4)  V  [(u  G  L3)  A  [Blocks  =  <j>)]) 

This  lemma  establishes  that  if  P[u]  does  not  reach  then  at  least  the  set  Block 3 
becomes  empty.  To  prove  the  lemma,  we  use 

'■  ( u  £  A3)  A  (A5(i  >  F\)  =  <f>)  A  (i  (E.  L7)  A  (A9..12  7^  <P) 

<5(7,t)  :  (b  •  +  7  •  Ng  +  6  •  Nj  +  5  •  Ng  +  4  ■  Ag  +  3  •  A'10  *F  2  •  An  +  A'12  . 

((min  4  —  j,)mod  ??)) 

For  each  k  G  {5,6,8} 

‘r’(jt.i)  :  (>*  £  A3)  A  (Ag(i  >  Pi)  =  4>)  A  (7  G  Tfc)  A  ( p8..i 2  7^  0) 

b(k,i)  •  (b  ’  N 5  +  7  •  Nq  +  6  •  A7  +  5  •  N g  +  4  •  A9  +  3  •  A m  +  2  •  A  n  +  A 12  ,  n  —  a) 

For  each  k  G  {9. .12} 

F(k,  1)  :  (u  £  A3)  A  (A5(i  >  Pi)  =  cj))  A  (i  G  Lk)  A  (A5..8  =  d>)  A  (?  =  7777774 ) 

:  (8  •  Af5  +  7  •  AV>  +  6  •  AV  +  5  ■  A^g  +  4  •  A9  +  3  •  A 10  +  2  •  Aj  1  +  AV2  ,  »  —  it) 

for  t  G  {0..n  —  1}.  The  overall  range  of  k  in  the  index  set  { ( P ,  7 ) }  used  in  this  lemma  is 
{5..12},  and  as  usual  T(k,i)  =  Tk\i]. 
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Note  that  since  L&„ n  <f>,  no  new  processes  can  enter  f5.  j 

Lemma  4.3 

[(zz  €  L3)  A  ( Block3  =  f)]=^0 (u  G  L4) 

Note  that  when  Block3  is  empty  it  cannot  become  non-empty  as  long  as  P[n]  stays 
at  C3  with  a  flag  value  of  1.  At  most,  processes  can  accumulate  at  C7.  Consequently,  we 
use  the  following  constructs: 

‘r’p.j)  :  (zz  £  L3)  A  ( Block3  —  <j>)  A  (z  €  L3)  A  (L4..6  =  d>) 

<5(3, «)  :  (4  •  Aro..3  +  3  •  A4  +  2  -  N5  +  N6  ,  r?  — 

For  each  A:  €  {4. .6} 

P(k,i)  '■  (zz  £  L3)  A  ( Block3  —  <j>)  A  (z  €  Lfc) 

^(/c,«)  :  (4  •  A0..3  +  3  •  A/4  +  2  •  A'5  +  Ne  ,  zz  — 

for  z  6  {0..7Z  —  1}. 

Note  that  when  L4..6  is  empty,  any  transition  r3[z]  is  helpful.  u 

It  is  not  difficult  to  combine  the  results  of  Lemmas  4.1,  4.2,  and  4.3,  using  reflexivity, 
disjunction,  and  transitivity,  to  obtain  the  result  of  Lemma  4,  namely: 

(zz  6  L3)=$~0(u  G  La) 

j 

This  concludes  the  proof  of  the  homing  property  for  the  mutex  program. 

6  Precedence  Properties 

Next,  we  consider  properties  that  are  expressed  by  the  formula 

p=^<7oU  . .  .  U<jv_i  U qT, 

for  any  r  >  0.  Adepts  in  temporal  logic  will  recognize  this  formula  as  a  nested  unless 
formula.  For  our  purposes  here,  it  suffices  to  consider  it  as  a  temporal  operator  of  r  +  2 
arguments. 

To  define  the  semantics  of  this  operator,  we  deal  with  half-open  intervals  of  the  form 
[i-J),  for  i  <  j.  Such  an  interval  consists  of  all  the  positions  k ,  such  that  i  <  k  <  j.  Note 
that  if  ?  =  j.  the  interval  is  empty.  For  the  two  intervals  \i.-j)  and  [j..k),  we  say  that  the 
second  interval  is  adjacent  to  (or  follows)  the  first,  and  observe  that  their  union  is  also 
a  half-open  interval,  given  by  [i..k).  For  infinite  computations,  we  allow  also  intervals  of 
the  form  [z..u>)  for  an  integer  z  and  the  interval  (u\u;),  which  by  definition  is  empty. 

Given  a  computation  o  :  s0,-si, . . .,  we  say  that  the  interval  [i..j)  is  a  jy interval  if  for 
every  k  G  Sk  satisfies  p.  By  definition,  an  empty  interval  is  a  /z-interval  for  every 

assertion  p. 
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A  computation  a  is  said  to  satisfy  the  precedence  formula  p=^q0  U  . . .  U<7r_i  Uqv  if  for 
every  p-position  i  there  exists  a  sequence  of  positions  i  =  i0  <  ix  <  . . .  <  iT  <  |<r|,  such 
that  [to--h)  is  a  90-interval,...,[?r-i--*r)  1S  a  qr-\ -interval,  and  finally,  if  ir  <  Ja|,  then  ir 
is  a  gr-position.  That  is,  it  requires  that  any  p-position  initiates  a  ^-interval,  which  is 
followed  by  a  succession  of  c/i, . . . ,  <jr_i-intervals,  where  the  <7r_i-interval  either  extends 
to  the  end  of  the  computation  or  is  terminated  by  a  ^-position.  Note  that  this  definition 
allows  some  of  the  intermediate  intervals  to  be  empty,  and  any  of  them  to  extend  to  the 
end  of  the  computation  \a\  (which  may  also  be  u>),  and  this  forces  all  the  succeeding 
intervals  to  have  the  form  [|<r|..|er|),  and  therefore  to  be  empty. 

The  precedence  formula  p=^<7o  U  . . .  U<p_i  Ugr  is  said  to  be  P-valid  if  it  satisfied  by 
all  computations  of  the  program  P. 

Let  us  see  how  the  property  of  linear  wait  as  claimed  in  [SzySS]  for  the  mutex 
program,  can  be  expressed  by  a  precedence  formula.  Consider  the  precedence  formula 

[(u  €  Lj,)  A  (t>  £  =^~{v  ^  Pio)  U  (v  €  L\o)  U(v  $(  Tio)  U(u  €  Tio) 

This  formula  considers  the  question  of  how  many  times  can  the  process  P[v]  overtake  the 
process  P[u]  on  its  way  to  the  critical  section.  It  considers  a  starting  position  in  which 
P[u]  has  already  made  public  its  intention  to  proceed  to  the  critical  section  (by  setting 
flag[u]  to  1,  while  P[v]  has  not  done  so  yet.  In  this  starting  position  P[u]  is  somewhat 
ahead  of  P[u],  The  precedence  formula  predicts  that,  following  such  a  position,  there  will 
be  an  interval  in  which  P[v ]  is  not  critical  (i.e.,  not  in  the  critical  section  ^io),  followed 
by  an  interval  in  which  P[v]  is  critical,  followed  by  an  interval  in  which  P[v]  is  again 
non-critical,  followed  by  a  position  in  which  P[u]  is  critical.  Consequently,  it  claims  that 
between  the  starting  position  and  the  entry  of  P[u]  to  the  critical  section,  there  can  be 
at  most  one  visit  of  P[u]  to  the  critical  section.  Note  that  the  interval  of  P[i>]  being 
critical  can  also  be  empty.  This  is  why  we  say  at  most  once.  Note  that  this  property 
does  not  guarantee  that  P[u]  will  eventually  get  to  the  critical  section,  because  any  of  the 
preceding  intervals  may  extend  to  the  end  of  the  computation.  In  [MP83]  this  property 
is  called  1- bounded  overtaking. 

First  let  us  consider  two  rules  that  characterize  some  of  the  basic  properties  of  the 
precedence  operator. 


MON 


(Monotonicitv) 

P=t-<70  U  .  .  .  Uf/r_l  Uf/r 

f>  ->  ]>,  (la  ~Mo - r<?r  ->  </r 

p  =W/o  u  .  .  .  U  (}r-  1  u  qr 


This  rule  allows  us  to  replace  in  a  valid  precedence  formula  the  antecedent  p  by  a  stronger 
assertion  and  the  assertions  r/0, . . .  ,c/r  appearing  in  the  consequent  by  weaker  assertions 
<7o, . . .  ,qr,  and  obtain  another  valid  formula. 

For  the  next  rule  we  introduce  the  following  notations 
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9«i, .2 . im  =  9ii  V  ?i2  V  ...  V  9«m 

q,..k  =  9,  V  q,+ 1  V  ...  V  for  ?  <  A' 

TEL 

(Telescoping)  rule: 

For  each  i  =  0, . . . ,  r  —  1 

- 9,  Ug.+i  •••  F  p=> - 9...+1- 

For  the  case  of  i  <  r  —  1,  this  rule  allows  us  to  replace  (telescope)  the  prediction  of  a 
^.-interval  followed  by  a  -interval,  by  the  prediction  of  a  single  (q,\/ql+ 1  )-interval  (i.e., 
a  (/lil+1-interval).  For  the  end  case  of  i  =  r  —  1,  the  rule  allows  us  to  replace  the  prediction 
of  a  9r_i-interval  followed  by  a  ^-position,  by  the  prediction  of  a  {qr~\  V 9,.  (-position  (i.e., 
a  9r_l  r-position). 

The  next  rule  is  the  main  proof  rule  for  establishing  precedence  properties  of  a  given 
program. 


prec  Rl.  p  — >  9o..r 

For  each  i  =  0, . . . ,  r  —  1,  and  each  r  £  T 

R2.  (gt  A  pT)  -»  q[  r _ 

p=^9oU  . . .  [)qr-i  U qT 


Proving  Bounded  Overtaking 

We  are  now  ready  to  prove  the  property  of  1 -bounded  overtaking,  or  linear  wait,  for  the 
program  mutex. 

For  our  case,  we  take  r  =  6  and  define  as  follows: 

p  :  ( u  €  kg)  A  (p  6  £1,2) 

The  assertion  90  is  given  by 

9o  :  (11  6  kg)  A  (Blockg  ^  d>)  A  (r  G  T1..3) 

where  Blockg  is  as  defined  before,  i.e.  Blocks  ~  Ls..u  U  kr,(j  >  I‘\ ). 

The  assertions  91, ... , r/e  are  given  by 


9i 

(« 

G 

t3 

4) 

A 

Block 

3  - 

=  ^)A  ((1 

’  G  T  1.  4,6,' 

r) 

V  [(t>  €  As)  A  (j,,  <  «)]) 

92 

(« 

€ 

t5 

.7) 

A 

(  8 . .  X  2 

= 

d1)  A 

(p  € 

k\..7) 

93 

(u 

€ 

T.5 

.9) 

A 

(Ts.,12 

0)  A 

(T„ 

< 

II 

e 

T5..9) 

94 

(« 

€ 

£5 

.9) 

A 

(  kg  ,\2 

7^ 

<f>)  A 

(  fy4 

=  <j>)  A  (v 

e 

T10) 

95 

(« 

€ 

Z,5 

.9) 

A 

(  A-8..12 

7^ 

d>)  A 

(k  4 

II 

0- 

> 

e 

To. .3,1 1,12) 

96 

(w 

€ 

T10) 
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It  is  beyond  the  scope  of  this  paper  to  check  the  second  premise  for  2  =  0, ...  ,  5  and 
all  the  transitions.  We  will,  however,  indicate  in  the  table  below  what  transitions  7^(2] 
may  lead  from  qj  to  qt  for  /  =  0, . . . ,  5  and  t  =  0, . . . ,  6.  Note  that  the  same  transition 
may  lead  from  qj  to  two  or  more  qt's.  By  observing  that  the  only  non-empty  entries  in 
this  table  correspond  to  /  <  t  <  6,  we  are  convinced  that  the  second  premise  of  the 
prec  rule  is  valid.  In  computing  such  successors,  we  may  rely  on  any  of  the  previously 
proven  invariants. 


From 

To:  q0 

<71 

94 

95 

96 

<7o 

<7i 

<72 

<73 

<74 

<75 

TO. .12 

r2,12 

70..12 

Mu) 

r0..12 

T5 

"0..12 

r5 

Tio[p] 

r0..12 

t9[u] 

T9  [«] 

We  may  conclude,  by  the  prec  rule,  that  the  precedence  formula 

p=$~q0Vq]  U<72U<73U<74  Ug5U<76 
is  valid  over  the  program  mutex. 

Next,  we  apply  the  monotonicity  rule  with  p  =  p,  (jo  =  <71  =  <72  =  <73  :  (u  0  L10). 
<74  :  (v  €  L 10),  <75  :  (e  Z-io),  and  qG  :  ( 11  €  L ]0).  This  application  is  justified  by 

observing  that  p  =  p,  and  getting  easily  convinced  that  q,  implies  <7,  for  2  =  0 . 6.  The 

application  yields  the  formula 

7?=^<7oU<7i  U r/2  U <73  U <74  U <75  U <7e- 

Observing  that  %  =  ■■■  =  <73,  we  may  telescope  the  first  four  intervals  together.  This 
yields  the  formula 

P  =>~  <7u  U  C/4  U  </5  U</6, 

which,  when  substituting  the  assertions  standing  for  p  and  qt,  leads  to 

[f  u  €  Lo)  A  (2'  g  L1.2)]  =$-(v  L 10)  U(<.  6  L,o)U(u  $  L\o)  U [u  €  Tio)- 
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